Video Screencast Help

Installing Third-Party Certificate for SEPM 12.1 web console

Created: 24 Apr 2013 | 8 comments

I am looking for help on enabling SSL with third party certificate from a trusted CA for the symantec web console.
I've followed the steps describe here :
It's kinda of working : the server respond well on the 443 ssl port, the certificate is the new trusted one. But on the 8443 port, the port that is used by the web console, it's the original auto signed symantec certificate that is still in use. The one that is refused by the web brower...

I'm not searching to know how to install the auto signed cerificate on the browser, i'm really searching to install a "true" cerificate on the server
Any help would be welcome :)

Operating Systems:

Comments 8 CommentsJump to latest comment

W007's picture


Look this artical

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

SMLatCST's picture

I'm afraid it is not possible to change the inbuilt certificate for accessing the SEPM console.

The only certificate that can be changed, is/are the one(s) for client communications and for the Reporting component of the SEPM (used for providing the HOME, MONITORS, and REPORTS sections of the console).

Please see my article (which Manish kindly linked) above for how to change the cert for the client communications and Reporting components.

As it stands, there is no way of changing the cert for the main SEPM console.  Do you have a specific requirement for it to use a trusted 3rd party cert?  Perhaps you can contact Symantec Support for an answer or submit this requirement as an IDEA on the forums.

derf's picture

That's what I feared :/
thanks for the info, my trusted certifiate is indeed now used for client communications. That's already something.
No real requirement here, but I found it quite not right for a security product such as SEPM to not be able to use a trusted certificate for its web console.

Anyway thanks for the replies :)

SMLatCST's picture

To be fair, the use of a 3rd party signing is to help determine if an unknown resource (i.e. random web server on the interweb) is who they say they are.  The fact that you built the SEPM yourself means that you know it's safe, secure, and trustworthy, in which case the 3rd party signing is of no real benefit (other than to get rid of the "certificate not trusted" prompt smiley).

SMLatCST's picture

Oh yeah, it's probably worth reiterating that the steps you've already gone through will have updated the cert used for the Reporting component (as I mentioned above).

This means that for just reporting purposes, the SEPM will use your new cert.  I don't know if this satisfies your requirements, but it is accessible via the below URL (assuming your SEPM is using the default Reporting port):


Obviously, just replace <SEPM> with the address of the SEPM used in the cert.

Stan3's picture
Same question here, I have followed the
Now I can access "https://<SEPM>:8445/reporting/index.php" with my cert, 
But when i access Symantec Endpoint Protection Manager Web Console (https://<SEPM>:8443/console/apps/sepm), it still stick with own self-sign cert.
Anyway to change it?
Stan3's picture

hey derf,

finally i fixed it, just logon to SEPM -> Admin -> Servers -> select your server, then click "Manage Server Certificate" in Tasks list, then select "Update the server certificate" -> Select "Certificate and Private Key file", i am using the new crt and server.key. Finish! 

after that , restart SEPM web server service.


IEC-IT's picture

I don't know but for me it was easy :)
Generate new request file for a certificate from "Certificate" snap-in on SEP server, based on corp. Web template. Submit it on a Issuing Server. Import ready certificate into SEP server.
Export certificate with Private key = sep_web_access_corp_cert.pfx

And then "

SEPM -> Admin -> Servers -> select your server, then click "Manage Server Certificate" in Tasks list, then select "Update the server certificate" -> Select "PKCS12 keystore (.pfx or .p12) " file.

the Fields in template of certificate (I found in self-signed cert. of SEPM ):
Subject: Common Name = sepm.domain.local
Alternativa Subject: DNS = sepm.domain.local, sepm
IPv6 = IPv6

all works good.-)